Security researchers have uncovered the CrashOverride malware framework used to take down part of the electrical grid in Kiev, Ukraine last year and experts warned the framework could be used against insecure utilities around the world.

On June 8th, anti-virus firm ESET, an IT security company headquartered in Bratislava, Slovakia, contacted industrial security firm Dragos, Inc., a Fulton, Md. an industrial cybersecurity startup, regarding an industrial control system (ICS) attack. Dragos researchers found that the malware framework, which they call CrashOverride, was used in December 2016 in an ICS attack on the Kiev electrical grid.

According to Dragos, the CrashOverride malware is “a modular framework consisting of an initial backdoor, a loader module, and several supporting and payload modules.” In a practical ICS attack, the malicious actor would first need to establish an internal proxy in order to install the backdoor. At this point, CrashOverride would download a data wiper module which “clears registry keys, erase files, and kill processes running on the system.

“The functionality in the CrashOverride framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages,” Dragos wrote in its report. “There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the Electrum actors could use CrashOverride to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial. CrashOverride is an extremely concerning capability but should not be taken with any doom and gloom type scenarios.”

Robert M. Lee, founder and CEO of Dragos, said ESET had already planned to go public with the CrashOverride information on June 12th, so Dragos had to move quickly on its analysis.

“If it was our decision we would have not published on the timeline we did but given that we did not control the timeline we worked our hardest over the 96 hours we had to hunt down samples of the malware, analyze it, find additional samples, and get details ASAP to industry partners and key members of the community as well as the appropriate government agencies,” Lee told SearchSecurity. “We do not disclose who all we notify in events like this but we made entities such as national CERTs around the world aware in that 96 hour time window as well once we were confident in our analysis.”

Protocol issues in ICS security

Another option for an ICS attack using CrashOverride would be to use an IEC 104 module “to serve in a ‘master’ role.”

“This raw functionality creates a Swiss army knife for substation automation manipulation yet also provides tailored functionality,” Dragos wrote. “The functions exposed to the malware operator are confined by the options of the configuration file.”

Andrea Carcano, co-founder and chief product officer for Nozomi Networks, an ICS security company based in San Francisco, said “the protocol communication used by CrashOverride is not a flaw per se.”

“The threat actor merely used legitimate commands to send incorrect directions to the substation control units,” Carcano told SearchSecurity “Once CrashOverride was able to penetrate the plant network, the communications it sent on the network were all using industrial protocols as they are intended to be used.”

Katie Moussouris, CEO of Luta Security, said on Twitter that the CrashOverride ICS attack method “shows how difficult it is to fix protocol-level security issues, especially in ICS.”

“It is a canonical example of multiparty vulnerability coordination, where the [vulnerabilities] are in a protocol implemented by many who must all fix [it],” Moussouris told SearchSecurity. “There’s nothing typical about the timeline, but it can take years, especially if a protocol revision requires new hardware design. Mitigation is case-specific. From disabling functionality that uses the protocol (usually not an option) to segmentation to other filtering.”

Richard Henderson, global security strategist at Absolute, an endpoint security company based in Vancouver, British Columbia, said an ICS attack using the IEC 104 module would be “pretty scary stuff if it was used to mess with Remote Terminal Units [RTUs].”

“Cascade failures are a very real risk in our modern, connected power system — we only need to go back to the Northeast blackout of 2003 to see how quickly an issue can spread and cause massive outages. In some cases it took days before power was restored,” Henderson told SearchSecurity. “A targeted attack on RTUs which can physically toggle station/substation breakers on or off could place other sections of the grid under massive stress… it wouldn’t be too much of a stretch to imagine some of those other systems on the grid falling over. This is one of the biggest threats facing ICS and SCADA today: there is a very real world threat when we marry cyber to the kinetic.”

Risks of ICS attack

Experts varied in opinions regarding the possibility of an ICS attack on utilities in the U.S., but said security can be lacking.

“In general, they are vulnerable because they were not designed with security in mind. Yet, they are exposed to danger more than ever due to increasing connections with business networks and the internet — sometimes inadvertent connections. Thus, once an attacker gets onto a plant network, they have a lot of ways of achieving their goals,” Carcano said. “Operators should use this discovery as a reminder to harden down access to ICS networks, review network segmentation and implement real-time ICS anomaly detection solutions, that would quickly alert them to unusual network communications.”

John Chirhart, federal technical director at Tenable, publisher of the Nessus vulnerability scanner based in Columbia, Md., said ICS attacks are becoming more likely because of how systems are becoming integrated into networks.

“Legacy systems were originally designed to be walled off and isolated from external threats, but with the explosion of interconnected networks, these systems have found themselves operating in blended environments,” Chirhart told SearchSecurity. “The reason ICS are so insecure is that they are typically treated as a separate attack surface, when in fact, it’s part of the new world of IT and must be constantly monitored, secured, and folded into an organization’s comprehensive modern security strategy.”

Bryan Singer, director of industrial cybersecurity services and sales for IOActive, Inc., a cybersecurity company headquartered in Seattle, said the danger of an ICS attack is somewhat limited because “utilities are already well equipped to respond to large disruptions of substation automation systems — they do it all the time for geological and meteorological events.”

“The larger question would be whether utilities are ready to handle a persistent malware threat which may require them to run their system with far more manual intercession than utilities today are used to doing. One thing that made some of the original attacks on the Ukrainian power grid have such minimal real impact is that they had only recently moved to digital systems, so there were knowledgeable operators ready and able to run in manual mode to keep the power on. In many other areas of the world including the United States, we are capable of the same manual operation, but it may take more resources than we have on hand at any given point if the outage is significant.”

David Zahn, general manager of ICS cybersecurity at PAS, an ICS security company headquartered in Houston, said utilities should be wary of assuming natural and human-powered ICS attacks are equivalent.

“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure,” Zahn told SearchSecurity. “In power, we are in denial that a similar attack could happen in the US. We also get mired in misconceptions that we are well prepared because of regulation, or squirrels — yes squirrels — are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.”

Henderson was confident that “the security people working in critical infrastructure are among our best and brightest, and I have little doubt that they’re ready and watching for CrashOverride or other copycat attacks.”

“ICS/SCADA are some of the most critical pieces of technology in the world today. Literally everything society is built on today is built upon power, water, and industrial technology… and without those things, the world as we know it would grind to a standstill,” Henderson said. “Those are very scary words, and toe the line on fear-mongering, but I really do think that it’s that important of an issue. Does that make them more vulnerable to incident? I don’t think so… but it does make the impacts of attacks exponentially more dangerous, with the impact to reality that much larger.”